---
title: Troubleshooting and common errors for tunnels
url: https://www.tines.com/docs/admin/tunnel/tunnel-faqs/
updated: 2026-04-29T16:55:05+00:00
---

*[tines.com](https://www.tines.com/llms.txt) › [Docs](https://www.tines.com/llms.txt) › [Admin](https://www.tines.com/llm/docs/admin.md) › [Tunnel](https://www.tines.com/llm/docs/admin/tunnel.md)*

# Troubleshooting and common errors for tunnels

*[View on tines.com](https://www.tines.com/docs/admin/tunnel/tunnel-faqs/)*

## Troubleshooting

> **NOTE:** Error messages display the original tunnel name under which it was created as opposed to any custom subdomains.

### Container connectivity

Check that your container is active. For example, if you're using Docker, you can use the following command to check the status and how long it's been up:

```bash
docker ps
```

### Container logs

You can also tail the logs to check for any errors. Here's another Docker example:

```bash
docker logs <container name or container id> --tail all
```

If there isn't enough detail, you can specify the log level you need using the environment variable `TUNNEL_LOGLEVEL` when starting a container. We recommend turning off the debug logs, since the debug logs can contain sensitive information. The levels correlate to [Cloudflare tunnel log levels.](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-run-parameters/#loglevel)

```bash
docker run \
  --env TINES_TUNNEL_SECRET="secret" \
  --env TUNNEL_LOGLEVEL=debug \
  tines/tines-tunnel:latest
```

### Tunnel connectivity

Check that your tunnel is healthy using the Settings page that lists [tunnel health statuses](https://www.tines.com/docs/admin/tunnel#health-statuses).

> **INFO:** The number next to the tunnel status represents total active client connections for the tunnel. See more info [here](https://explained.tines.com/en/articles/10922763-what-does-the-number-signify-next-to-the-tunnel-status-on-the-tunnel-configurations-page).

### Action configuration

Check that your action is configured with the correct URL to your private network system by using `curl` from within your container.

If you can see an error in the action log, check the common errors below to help diagnose the issue.

## Tunnel Troubleshooting Script

If your tunnel container successfully starts but is not connecting, run the provided `tunnel-troubleshoot.sh`. Start an interactive bash session in the Tunnel container and execute `/home/tines/tunnel-troubleshoot.sh.` The script will check for connectivity issues, proxies, tunnel credentials, and container metrics. You should see an output for each test and recommendations to follow if there are any failures:

```bash
Cloudflare Tunnel Connectivity Troubleshooter
Timestamp: 2026-03-11 16:42:10 UTC
1. DNS SRV Resolution (edge server discovery)
  PASS: SRV record resolved
    target=region1.v2.argotunnel.com.  port=7844
    target=region2.v2.argotunnel.com.  port=7844
2. Edge Connectivity (port 7844, IPv4)
  PASS: region1.v2.argotunnel.com:7844 TCP open
  PASS: region2.v2.argotunnel.com:7844 TCP open
3. Edge TLS Handshake (port 7844, IPv4)
  PASS: region1.v2.argotunnel.com:7844 TLS OK
  PASS: region2.v2.argotunnel.com:7844 TLS OK
  IPv6: not available (not required — cloudflared uses IPv4 by default)
3b. TLS Interception Check
  Certificate issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
  PASS: Direct connection to Cloudflare (no TLS interception)
4. Cloudflare API (port 443)
  PASS: api.cloudflare.com reachable (HTTP 404)
5. Proxy Configuration
  HTTP_PROXY:  <unset>
  HTTPS_PROXY: <unset>
  NO_PROXY:    <unset>
6. Tunnel Credentials
  PASS: Secret present via file /run/secrets/TINES_TUNNEL_SECRET (184 bytes)
7. Metrics Endpoint
  readyConnections: 4 (from http://127.0.0.1:9000/ready)
  PASS: Tunnel has 4 active connections
---
Passed: 10  Failed: 0
```

### Run the troubleshooter at startup

If you can't easily exec into the tunnel container (for example, in locked-down Kubernetes clusters), you can run the troubleshooting script automatically at container startup by setting the ``TUNNEL_TROUBLESHOOT_ON_START`` environmentvariable to ``true``:

```
docker run
--env TINES_TUNNEL_SECRET="secret"
--env TUNNEL_TROUBLESHOOT_ON_START=true
tines/tines-tunnel:latest
```

When enabled, the diagnostic output appears in the container logs with a`[STARTUP-DIAG]` prefix, making it easy to filter:

```
docker logs | grep "STARTUP−DIAG"
```

This is off by default and does not affect tunnel startup — if any diagnostic check fails, the tunnel still starts normally.

## Common Errors

Commonly encountered errors when using a tunnel in your `HTTP Request` or `Send Email Action` and how to troubleshoot.

### `TUNNEL_CONNECTION_ERROR`

We were unable to establish a tunnelled connection for `tunnelName`

**This may be an issue with either the endpoint being called from the action** **request or the tunnel being down.**

Please check the following:

1.  Your `tines-tunnel` container is active.
2. The tunnel is properly configured and healthy.
3. The action request endpoint used is a valid hostname and url.

You can see the health status of your tines tunnel by visiting `/settings/tunnel` and viewing the tunnel status.

### `TUNNEL_CONNECTION_ERROR: Exception encountered is: Connection reset by peer - SSL_connect`

We were unable to establish a tunnelled connection to the tunnel container or the remote origin behind the tunnel container. This error likely indicates that the TCP/TLS handshake between Tines and the remote origin failed. To remediate the issue please check the following:

1.  Your tines-tunnel container is active.
2. The tunnel is properly configured and healthy.
3. You are able to send a `curl` or similar to the remote origin from within the tunnel container.
4. The action request endpoint used is a valid hostname and url.

You can see the health status of your tines tunnel by visiting `/settings/tunnel` and viewing the tunnel status. If the issue persists, please reach out to our support team.

### `TUNNEL_OPEN_TIMEOUT_ERROR`

We encountered a timeout while opening the tunnel connection for `tunnelName.`

**This may be an issue with either the endpoint being called from the action** **request or the tunnel being down.**

Please check the following:

1.  Your `tines-tunnel` container is active.
2. The tunnel is properly configured and healthy.
3. The action request endpoint is a valid hostname and url.

You can see the health status of your tines tunnel by visiting `/settings/tunnel` and viewing the tunnel status.

If the tunnel is configured correctly, the server may not be responding promptly.

To troubleshoot further:

1. Copy your Tines Action as a curl command and run it in your container (on your server).
2. If it works, it's likely a timeout issue. Increase the timeout on your HTTP Request Action to at least 60 seconds.

### `SSL_ERROR`

An SSL connection error was returned for the request.

SSL certificate verification failed. This may be caused by an outdated SSL certificate, incorrect URL, network issues, or misconfigurations.

To resolve, check the following:

1. Renew or Update SSL Certificate: Ensure it's current.
2. Check URL and Parameters of action request are correct.
3. Network Configuration: Inspect for issues.
4. Disable SSL verification temporarily: Consider setting `disable_ssl_verification` to `true`, in the action options.

> **NOTE:** When a request through a tunnel fails with SSL certificate validation errors, we may need to [add a custom certificate authority (CA)](https://www.tines.com/docs/admin/custom-certificate-authority/) to the tenant trust store. This is common in environments that use internal public key infrastructure (PKI)or TLS-inspecting proxies that re-sign certificates. As a rule of thumb, if setting `disable_ssl_verification=true` makes the request succeed, the long-term fix is to import the correct custom CA and then re-enable SSL verification

### `TINES_TUNNEL_SECRET environment variable has an invalid value.`

This might happen if you're using [Docker secrets to store variables](https://www.tines.com/docs/self-hosting/additional-applications/). Check that you're setting a `secret-env` at `/run/secrets/secret-env.`

### `unknown protocol`

If the tunnel is failing to connect to Cloudflare servers, you can try switching to a different protocol using the  [https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-run-parameters/#protocol](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-run-parameters/#protocol). For some customers, quic does not work but http2 does.